BlackBerry warns of TIFF-based BES vulnerability

BlackBerry has recently issued a warning that enterprise servers could be remotely accessed when they process images in a TIFF format. Attackers would need to craft a specific web page and get someone with sufficient privileges to click on a link to that page on their BlackBerry. Alternatively, they could send an e-mail or an instant message with this image, and they wouldn't even have to answer it in order for the exploit to work. Here's a snippet from the recently-released knowledge base article...

Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone. Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.

We've seen these kinds of security vulnerability warnings issued before, and generally when they're this high on the severity scale, they get taken care of pretty quickly. In fact, a software patch is already in place to fix this TIFF vulnerability - admins just have to update their servers to version 5.0.4 MR2 or download an interim release.

So end users, so long as your IT dude is competent and keeping the BES software up to date, you really don't have anything to worry about.

yes, you can use Obfuscation to hide a program within a tiff, its how many psp exploits were found out in the last decade. heck I have a program that can do it and then another that can reveal what was hidden. Im an ex hacker.

So, when I open the readme and instructions for BlackBerry Enterprise Server Express Interim Security Update for February 12th 2013, I get another language (can't tell which). I did get the download. How to let Blackberry.com know? thanks,

CrackBerry is in no way Affiliated with BlackBerry. We take pride in our unbiased content, however do occasionally receive free products from vendors that we review or discuss. For more info click here.